Each year, the Black Duck OnDemand audit services group conducts open source audits on thousands of applications for its customers—primarily in conjunction with merger and acquisition transactions.
This 2018 report is based on data from various sectors such as healthcare, mobile app markets, IoT, big data, and more.
In this day and age where knowledge gained by degree has more standing than experience and cut and paste or reuse is more familiar and speeded than an appropriate development practice are you surprised at this? It has always been easier to copy chunks of code from someone else than to develop your own and who cares if it has bugs - someone in the wider community will fix it eventually. This is what happens when you let the children run the playground.
In this day and age where knowledge gained by degree has more standing than experience and cut and paste or reuse is more familiar and speeded than an appropriate development practice are you surprised at this?
I'd add that there is a marked disconnect between the average Product Development team and the field / consumers of security products.
I've posted on linkedin about Cisco & Palo Alto products previously requiring flash, one of, if not the most vulnerable software products available (open source or otherwise) Add to that the hidden installs that flash has, in the past at any rate, bundled in and its ridiculous all the way around (looking at you Intel/Mcafee - desktop "security" products none the less)
Implemented properly I'd suggest open source is capable of being just as secure as purchased software, possibly more so if the devOps team is applying appropriate tools & controls to the development processes & source code. If devsec is not effective (which seems to often be the case) it seems like a toss up as to general assessment of vulnerabilities & associated risks.
As some of the more recent "headlines" have been malware impacting months old vulnerabilities, it certainly doesn't seem like "security users" are any better (generally) . But I'd agree with anyone saying it would be nice, and we should be expecting, security companies to be better.
What about IoTs, which sneak into homeowners domains, without them even being aware they exist or how to update the firmware let alone that potentially they are turned on all the time.
For example and the list goes on and on:
do routers really count as IOT? I have a web connected A/C, I love it. Its also on its own SSID with access to nothing else...
Makes a good case for e.g. Meraki, even tho they aren't exactly consumer friendly in their pricing.